Docker Security Hole Revealed: Mitigate CVE-2019-5736

How it was Discovered:

On February 11th, a critical vulnerability in runC binary was released. According to Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer, security researchers Adam Iwaniuk and Borys Popławski discovered the vulnerability. As published in NIST National Vulnerability Database (NVD) “The vulnerability allows attackers to overwrite the host runC binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers:

(1) A new container with an attacker-controlled image, or

(2) An existing container, to which the attacker had previously written access that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Exploitation code for this vulnerability will be released on February 18th, and this is why you must act fast!

Wait, Which Services are Affected?

This issue affects several open-source container management systems such as:

Red Hat Enterprise Linux, OpenShift

Docker Engine – any version before 18.09.2

Kubernetes

AWS: services which are using containers such as: ECS, EKS, AWS Fargate

Google: GKE

Azure: AKS

What Should I Do?

If you are using any of the services listed above, you may need to ensure that you are not using vulnerable versions, and/or update your current security settings.

For additional instructions, please follow the advisories below:

Amazon: In a security advisory published by Amazon, if you are using one of the 11 Amazon Web Services offerings listed in advisory, you may need to launch a new instance and ensure you are up to date with the latest versions.

Red Hat: Red Hat also issued an advisory. Red Hat says the flaw likely won’t affect many of its customers.

Google: In its advisory, Googlewrote that “Kubernetes Engine (GKE) Ubuntu nodes are affected by these vulnerabilities, and we recommend that you upgrade to the latest patch version as soon as possible, as we detail below.”

Docker: The same advice applies to popular containerization vendor Docker. It issued an updateon Monday – version 18.09.2 – that includes a patch for the flaw.

CloudGuard Dome9 helps organizations visualize and assess their security posture, detect misconfigurations, and enforce security best practices. It can therefore alert users about their exposure to the vulnerability. For example, it will identify vulnerable Fargate services and tasks, in order to re-launch them using the recommended platform version. As per the AWS recommendation: “An updated version of Fargate is available for Platform Version 1.3 that mitigates the issues described in CVE-2019-5736. Patched versions of the older Platform Versions (1.0.0, 1.1.0, 1.2.0) will be made available by March 15th, 2019”.

How? CloudGuard Dome9 detects your security posture using its innovative language for specifying security policies, called Governance Specification Language (GSL). Unlike other systems that require writing code to define custom rules, GSL allows administrators to create new rules that are written in common language and easy to understand.

New GSL compliance rules check your AWS environment vulnerability to CVE-2019-5736 and are now available with CloudGuard Dome9. Scroll to the bottom for details.

Are you exposed? Here’s how to check with CloudGuard Dome9 GSL

In your AWS environment, you should ensure that you are running Fargate Platform Version – 1.3 for all the instances launched before today. You can easily do it using the following Governance Specification Language (GSL) from CloudGuard Dome9:

EcsTask where launchType=’FARGATE’ and platformVersion=’1.3.0′ should not have createdAt < 1549843200

The fix for older versions will occur on March 15th, 2019, until then, all Fargate instances that are vulnerable can be listed using the following GSL:

EcsTask where launchType=’FARGATE’ and platformVersion in (‘1.0.0’, ‘1.1.0’, ‘1.2.0’) should not have createdAt < 1552608000

AWS recommends customers who are running standalone tasks should terminate existing tasks, and re-launch using the latest version. Specific instructions can be found in the Fargate update documentation.

If you would like to learn more about the comprehensive security and compliance solutions CloudGuard Dome9 provides, please sign-up for a Free Demo or request a Free Trial. A Check Point representative will reach out to you directly to fulfill your request.